I installed lighttpd with fast-cgi. Then I installed webmin. It appears webmin has taken over the lighttpd install and changed the PHP configuration to add a bunch of their own environment variables that I really do not want exposed to regular websites running on the server. For example:

So basically, my question is how to get webmin out of the regular lighttpd port 80 configuration and only have it stick all that stuff in if you actually surf up to the webmin port 10000. Specifically, HTTP_REFERER and QUERY_STRING are giving me trouble because those are used for stats and configurations.

2 Answers
2

Edit: Actually, looking at this, this is not even a PHP thing. This is a Webmin page. PHP isn't even involved in the request you're looking at. Where are you getting this data? It's not from the request to index.php. It's for a request to the Webmin init module where you were changing the state of the lighty initscript.

My original reply didn't take into account that your data is simply not what you think it is. PHP and lighty are not involved in the request you're looking at, at all.

Webmin is written in Perl and uses its own built-in webserver. I never saw it do anything to other web servers configuration. What is the system you're using? Did you install some webmin package for your distro or the official http://www.webmin.com distribution?

Centos 5.5. Just did a regular yum install of the packages
–
John PDec 15 '10 at 18:44

My guess is that the centos package is broken... remove it and install manually the webmin.com version. It will be more current and probably won't interfere with your web server.
–
wazooxDec 15 '10 at 20:08

1

There is no stock CentOS package. I assume he means the Webmin.com RPM from the Webmin.com yum repo, which would definitely not do what he's described. (Webmin doesn't even know of the existence of lighty! It's definitely not going to change its configuration files.)
–
swelljoeDec 15 '10 at 22:03

It acts like it is proxying all HTTP requests through webmin. Notice the HTTP_REFERER points back to the webmin port. I did not see anything unusual with IPTABLES, but it might be done if a different place
–
John PDec 15 '10 at 23:05

Webmin's miniserv.pl has no proxy functionality, so that theory is right out. ;-) It would be possible to run PHP scripts as cgi scripts under the Webmin server, but it wouldn't happen accidentally. Again, I believe you are looking at a wholly non-PHP request, all of this data is about an interaction with Webmin. No PHP or light involved at all.
–
swelljoeDec 16 '10 at 20:30